Re: [codec] Spencer Dawkins' No Objection on draft-ietf-codec-opus-update-08: (with COMMENT)
Jean-Marc Valin <jmvalin@mozilla.com> Tue, 15 August 2017 17:23 UTC
Return-Path: <jmvalin@mozilla.com>
X-Original-To: codec@ietfa.amsl.com
Delivered-To: codec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74904132395 for <codec@ietfa.amsl.com>; Tue, 15 Aug 2017 10:23:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvSUtuQS2XMS for <codec@ietfa.amsl.com>; Tue, 15 Aug 2017 10:22:59 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98FB013219E for <codec@ietf.org>; Tue, 15 Aug 2017 10:22:59 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id 76so7350108ith.0 for <codec@ietf.org>; Tue, 15 Aug 2017 10:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=MpvWks/BhqetursiDfEHqR7eO5ndzZJGPKyAdTKFYeI=; b=D+Qi8yXmkRPvxNjXHPsrYml374r3KYWaEwhdcoHp83bCsGFAsPOe8CV0zW6sXm7qI8 OSJWdZ31ylwZhTA3f06uQb57pDZ+8quAWsveaKPLDPrZVkPCUpwXpxHjz40vQuQpZu3/ orqE7d+P23qym1z8RcU2TCXNdC19PKbaxgo/U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=MpvWks/BhqetursiDfEHqR7eO5ndzZJGPKyAdTKFYeI=; b=sz6Z1enmvzLuCaDjwP1CcAVWLLUAmEqYVeyX/BHt8VxdwRGDqXQZCD9Odo5abVlJoZ c9vuTfPPragenNda+rO2uQD0uSN92Nbpi7wkqsMw9Z7QD3qFWVqJsStJIUKNqklsaypY nxkDnBMazQ7T4Xsjcl1ilUc53yrlt9DVnb9jxavoO4zFP9Wjq3jo9j5dHDAHXgK6+Naz E28ekQMo8SpSbeLipEG4Dpi9FoSN+ZePTYISonpY0b2p1jYUk9O4skoi99rYtTjWmKJz cFeW7jWV+1xKRvb/keorYzUCLod0nQLILqmj92hmFDgQUmMz7bXiZAPOmOyy4z/uxJ1c TuAQ==
X-Gm-Message-State: AHYfb5gddx4rDc0q5geU1wcLBxr/A+CgPvNdlZ16deCsJ025ErLW6J6N S+sE0IJTYbzsD59L
X-Received: by 10.36.69.13 with SMTP id y13mr1725834ita.100.1502817778671; Tue, 15 Aug 2017 10:22:58 -0700 (PDT)
Received: from panoramix.jmvalin.ca (modemcable067.31-56-74.mc.videotron.ca. [74.56.31.67]) by smtp.gmail.com with ESMTPSA id s44sm1017241ite.30.2017.08.15.10.22.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Aug 2017 10:22:57 -0700 (PDT)
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, The IESG <iesg@ietf.org>
References: <150281524621.21110.4158788012236698670.idtracker@ietfa.amsl.com>
Cc: tterriberry@mozilla.com, codec-chairs@ietf.org, codec@ietf.org, draft-ietf-codec-opus-update@ietf.org
From: Jean-Marc Valin <jmvalin@mozilla.com>
Message-ID: <c7ac8e05-fb4a-f280-6b2b-0c5819a37649@mozilla.com>
Date: Tue, 15 Aug 2017 13:22:56 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <150281524621.21110.4158788012236698670.idtracker@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="bSQAbCxEKTaNn4hW0Wggdkvm4efh8iqAP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/codec/kVaZrkYoghW8VtmwoDHV0JdLOEQ>
Subject: Re: [codec] Spencer Dawkins' No Objection on draft-ietf-codec-opus-update-08: (with COMMENT)
X-BeenThere: codec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec WG <codec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/codec>, <mailto:codec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/codec/>
List-Post: <mailto:codec@ietf.org>
List-Help: <mailto:codec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/codec>, <mailto:codec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 17:23:04 -0000
Hi Spencer, Thanks for the comments. See below. On 15/08/17 12:40 PM, Spencer Dawkins wrote: > I have no idea what an “extreme bitstream” is. Aren’t they all pretty much 0s > and 1s? > > More seriously, it would be nice to know what about the bitstream is extreme. What is meant here is that the bit-stream is trying to represent an extremely large value for the high LSF parameters. It's either impossible or at least extremely unlikely for an encoder to generate such a bit-stream that triggers the bug. So any occurrence would likely be specially crafted rather than random. Would you prefer the word "malicious" instead of "extreme" here? > Is there an obvious way that the decoder can know whether audio will be > downmixed outside the decoder? Section 10 thinks decoders can know that, > apparently. The most common case is when the application initializes a mono decoder (e.g. the receiver has just one speaker), but is decoding a stereo file (or the sender is sending a stereo stream). In that case, the down-mixing occurs in the decoder itself. In the other case, the application developer would have to explicitly tell the decoder that its stereo output is meant to be down-mixed. > In the security considerations, why is it highly unlikely that the read-only > table will be placed next to sensitive data? I’m not balloting Discuss on this > because the assertion is nested in a reported vulnerability with no known > exploit, but I am curious. Well, the linker will typically have a text segment where it puts all the executable code and the read-only data, separate from the heap and other writable areas. The out-of-bounds read is just 256 bytes before the target table and the text segment would typically be around 200 kB. So the only way for the out-of-bounds read to be outside of the text segment (which isn't sensitive because everyone can have it) is if the linker placed the table in the first 0.1% of the read-only segment. That being said, in response to the SecDir review, I proposed rewriting that part to say: "CVE-2017-0381 is fixed by Section 7 and can only result in a 16-bit out-of-bounds read to a fixed location 256 bytes before a constant table. That location would normally be part of an executable's read-only data segment, but if that is not the case, the bug could at worst results in either a crash or the leakage of 16 bits of information from that fixed memory location (if the attacker has access to the decoded output). Despite the claims of the CVE, the bug cannot results in arbitrary code execution." Would that address your concerns? Cheers, Jean-Marc
- [codec] Spencer Dawkins' No Objection on draft-ie… Spencer Dawkins
- Re: [codec] Spencer Dawkins' No Objection on draf… Jean-Marc Valin
- Re: [codec] Spencer Dawkins' No Objection on draf… Spencer Dawkins at IETF
- Re: [codec] Spencer Dawkins' No Objection on draf… Warren Kumari